Purpose
To ensure that all computerized systems used in the manufacturing and quality control of medicinal products guarantee data integrity, traceability, and reliability throughout their lifecycle.
Key Requirements for Compliance
|
Category |
What Circularo (or any e-signature platform) must demonstrate |
|---|---|
|
System Validation |
Validation documentation proving the system performs as intended (Installation Qualification, Operational Qualification, Performance Qualification - IQ/OQ/PQ). |
|
Access Control |
Secure, role-based permissions ensuring only authorized users can perform specific actions. |
|
Audit Trails |
Automatic, time-stamped records of all system activities (signing, document changes, deletions, etc.). Audit trails must be tamper-proof and accessible for review. |
|
Electronic Signatures |
Must be uniquely linked to one person, capable of identifying that person, and include date/time stamps. |
|
Data Integrity |
Stored records must be protected from alteration or loss. Version control and traceability are key. |
|
Change Control & Configuration Management |
Any change to the system or its configuration must be documented and validated. |
|
Training & SOPs |
Staff using the system must be trained, and standard operating procedures (SOPs) must exist for all processes. |
|
Vendor Qualification |
If Circularo is a software vendor, pharmaceutical clients must be able to audit or assess its development, testing, and security processes. |
Who Audits Annex 11 Compliance
There is no central “Annex 11 certification authority”. Compliance is verified through GMP inspections conducted by:
-
National Regulatory Agencies in the EU (e.g. EMA, MHRA in the UK, BfArM in Germany, AIFA in Italy).
-
During audits of a pharmaceutical company, inspectors also review their IT systems and vendors for Annex 11 compliance.
-
So, Circularo would be indirectly audited - usually by the client’s QA or compliance team or by regulators when the system is used in a validated environment.
In short: Annex 11 compliance = demonstrated through validation documentation, not a formal certificate.
Documentation Typically Required from the Vendor
To help clients prove compliance, Circularo should be able to provide or facilitate:
-
System Validation Package (IQ/OQ/PQ reports or vendor-supplied validation documents)
-
Technical & Security Architecture Overview
-
Audit Trail Samples
-
Data Retention and Backup Policy
-
Access Control and Authentication Policy
-
Change Control Procedures
-
Training and SOP documentation
-
Statement of Compliance outlining how the platform meets Annex 11 / Part 11 requirements
Annex 11 & 21 CFR Part 11 Compliance Mapping for Circularo
|
Compliance Area |
How Circularo Demonstrates Compliance |
Applicable Regulation(s) |
|---|---|---|
|
Validation documentation confirming installation (IQ), operational (OQ), and performance (PQ) requirements are met. Includes functional tests, electronic signature validation, and audit-trail verification. |
Annex 11 §4 |
|
Role-based access, secure login with unique user IDs, password complexity rules, optional MFA, session-timeout policies, and revocation controls. |
Annex 11 §12 |
|
Immutable, time-stamped logs automatically recording all key user and system actions (sign, modify, delete, export). Audit data is tamper-evident and exportable for inspection. |
Annex 11 §9 |
|
Signatures uniquely linked to individual users and bound to signed content via cryptographic hash; capture of signer identity, date/time, and intent (“Approved”, “Reviewed”, etc.). |
Annex 11 §14 |
|
Encrypted storage, version control, checksums, and restricted deletion rights ensure authenticity and long-term readability of records. |
Annex 11 §8 |
|
HTTPS/TLS encryption in transit, AES encryption at rest, access logging, periodic vulnerability scans, and GDPR-compliant processing. |
Annex 11 §7 |
|
Formal change-management process; all configuration or feature changes are documented, tested, and approved before release. |
Annex 11 §1–2 |
|
Documented procedures for validation, security, backup, and incident response; staff training records maintained to ensure competence. |
Annex 11 §2 |
|
Circularo provides quality documentation and security policies for customer supplier-qualification or vendor-audit programs. |
Annex 11 §3 |
|
10. Audit & Inspection Support |
Platform offers exportable logs, configuration documentation, and validation evidence to support client GMP/FDA audits. |
Annex 11 §9–14 |
|
11. Electronic Record Retention & Retrieval |
Archived documents remain retrievable and readable for the full retention period defined by the customer; integrity verification ensures authenticity. |
Annex 11 §8 |
|
12. Statement of Compliance |
Vendor can issue a signed statement summarizing adherence to Annex 11 and 21 CFR Part 11 principles; supports clients’ validation packages. |
Annex 11 |
Auditing & Certification
|
Regulation |
Primary Audit/Inspection Body |
Audit Approach |
|---|---|---|
|
EU Annex 11 |
EU GMP authorities - e.g. EMA, MHRA, BfArM, AIFA |
Verified during GMP inspections of pharma manufacturers; vendor audited by client QA/compliance teams. No central certificate issued. |